Security Incidents mailing list archives

Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it)

From: "Jeffrey F. Lawhorn" <jeffl () wanet net>
Date: Tue, 16 Jan 2001 15:17:49 -0800


In message <3A64ACD2.39EDC7B () profm ro>, Mihai Moldovanu said:


The asp executable ( the one wich get's installed in /sbin/asp and serve requests on 27374 )  has a strange getline 
function coded wich
seems to be specialy crafted to allow remote upload / execution of code . Unfortunately I can't prove that function 
have a buffer
overflow in it .


As near as I can determine, all the asp executable does is send the
configured file (/tmp/ramen.tgz) when ever it receives any data on the port
it's listening on (27374).

jeffl


--
Jeffrey F. Lawhorn                       |Internet Security Consulting
Software Design Associates, Inc.         |IDS Monitoring/Reporting
jeffl () wanet net       619-679-5900 voice |Expunge Intruders
http://www.wanet.net/ 619-679-2327 fax   |
Finger jeffl () wanet net for PGP Public Key.

Insist on Quality! WANet.Net is an ISP/C Member - http://www.ispc.org/

Attachment: _bin
Description:

Current thread:

Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- - - Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
    - Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
    - Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- Re: anyone else seen an increase in sunrpc scans these days? Mihai Moldovanu (Jan 15)
  - FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
    - Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
    - Re: FTP and RPC based worms [was anyone else ...] Steve Clement (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? thomas lakofski (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Niels Heinen (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Edward Mitchell (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Timothy Lyons (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Alfred Huger (Jan 15)
  - Rise in rpc scans - Honeynet Project Lance Spitzner (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Ed Woodson (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? James Bryan (Jan 15)